delete secure database

[hireagenius via AccessMonster.com]

Hi Access Heros,
I thought I developed a secure database. I even disabled the shift bypass
key from information written by Joan on a previous thread. So I test loaded
the fe on a different computer and said "lets try deleting the be" (I made a
copy first) Guess what? It worked! We deleted the be. I reviewed the
security accounts and permissions on the fe and be. Neither the Group, nor
the TestUser had delete permissions on the database, only Open/Run. Did the
security have anything to do with it? It seems anyone with read/write access
to the folder on the network where the be resides would be able to delete the
database. I have missed a step in security.

It shows that "Developer" (me) is the owner.

There are no permissions for the User Group.
There are no permissions for the Admin User.
The Admin Group has permissions on tables, but none on the database.
Thank you for your help (once again).
Sincerely, Charlie

 

[TC]

Access secuity can not control what a person can do when they are not
logged-in to Access, and are only Windows. In particular, Access
security can not stop people from deleting the BE file using normal
Windows techniques.

HTH,
TC (MVP Access)
http://tc2.atspace.com

 

[hireagenius via AccessMonster.com]

Access secuity can not control what a person can do when they are not
logged-in to Access, and are only Windows. In particular, Access
security can not stop people from deleting the BE file using normal
Windows techniques.

HTH,
TC (MVP Access)
http://tc2.atspace.com

Thank you for the response. I see that as a HUGE security hole. I will make
frequent backups. Hopefully I won't have that problem but the reason I had
to work so hard on the security was due to malicious users.

 

[Keith Wilby]

Thank you for the response. I see that as a HUGE security hole. I will
make
frequent backups. Hopefully I won't have that problem but the reason I
had
to work so hard on the security was due to malicious users.

Although users need RWXD permissions to the folder, you can customise file
permissions such that the mdb *file* has RWX permissions and therefore
cannot be deleted.

Regards,
Keith.
www.keithwilby.com

 

[Joan Wild]

Although users need RWXD permissions to the folder, you can customise
file permissions such that the mdb *file* has RWX permissions and
therefore cannot be deleted.

Although this is true, the next time the mdb file is compacted, it will
inherit permissions from the folder and become RWXD again; so you have to
remember to reset the permissions.

An alternative is to hide the folder so users can't get to it so easily.

\\server\share$ rather than \\server\share

If they know the path, they can still get to it, so don't tell them

And of course, frequent backups.

 

[Rick Brandt]

Thank you for the response. I see that as a HUGE security hole. I
will make frequent backups. Hopefully I won't have that problem but
the reason I had to work so hard on the security was due to malicious
users.

If you need to protect data from non-users use Windows security.

If you need to protect data from users don't put it in an MDB file.

 

[hireagenius via AccessMonster.com]

Okay. Thank you. I called the IT department and put in my request for the
folder. Charlie

 

[hireagenius via AccessMonster.com]

[quoted text clipped - 9 lines]

the reason I had to work so hard on the security was due to malicious
users.

If you need to protect data from non-users use Windows security.

If you need to protect data from users don't put it in an MDB file.

Rick - what are you suggesting? I am using access. It is an .mdb file.
Charlie

 

[Rick Brandt]

Access secuity can not control what a person can do when they are
not logged-in to Access, and are only Windows. In particular,
Access

[quoted text clipped - 9 lines]

the reason I had to work so hard on the security was due to
malicious users.

If you need to protect data from non-users use Windows security.

If you need to protect data from users don't put it in an MDB file.

Rick - what are you suggesting? I am using access. It is an .mdb
file. Charlie

I'm suggesting that if you need data to be protected from legitimate users
of your application then you should not be storing it in an MDB file. You
should be using a server back end like SQL Server or similar. Only with
that can you give access to data without giving access to the physical files
containing the data.

If data is in a file then it can be destroyed by someone who is granted
access to the file and when you store your data in an MDB then *Users* must
have file access to get to the data.

You can erect barriers and obfuscate things, but you cannot ultimately
protect data in an MDB from someone who is allowed to use the file. In many
apps it is only vital to protect the data from non-users and for that
windows networking permissions fill the bill nicely.

 

[hireagenius via AccessMonster.com]

Thanks Rick. I don't have the resources you are reccommending. I took the
suggestion from Joan on getting delete permissions removed from the Windows
folder. Perhaps I can pursue Windows security more to see if i can isolate
who my malicious users are and deal it from that angle. Charlie

[quoted text clipped - 9 lines]

Rick - what are you suggesting? I am using access. It is an .mdb
file. Charlie

I'm suggesting that if you need data to be protected from legitimate users
of your application then you should not be storing it in an MDB file. You
should be using a server back end like SQL Server or similar. Only with
that can you give access to data without giving access to the physical files
containing the data.

If data is in a file then it can be destroyed by someone who is granted
access to the file and when you store your data in an MDB then *Users* must
have file access to get to the data.

You can erect barriers and obfuscate things, but you cannot ultimately
protect data in an MDB from someone who is allowed to use the file. In many
apps it is only vital to protect the data from non-users and for that
windows networking permissions fill the bill nicely.